23 August 2015

Tip of the day: password complexity

A few years back if someone asked me how a secure password should look like I would have said: have between 8 and 12 characters and contain random upper-case, lower-case, at least one number and one symbol if allowed. Back then such a password was unbreakable with anything but the strongest super-computers. Anything over 12 was pointless and would just take more time typing which is annoying especially for those situations where you need to type it often (like your Windows login screen).

However, times have changed. Computers have become much more powerful and affordable and with the recent advancements in cloud computing brute-forcing a password has become a more viable strategy.

You may ask yourself what does brute-forcing means? It means trying every possible combination for a password until a match is found. For example, a brute-forcing program might start with the password aaaaa and work its way through all combinations until ZZZZZ. This is a very basic example as they are much smarter than this (like trying more likely combinations first).

So, how does a secure password looks like today? The answer is passpharse. We can have secure passwords by taking passphrases and turning them into passwords. Example: "I like strawberries!" can become 1L1k3Strawb3rr13s!.

What I did was take a phrase that is easy to remember, replaced "i" with 1 and "e" with 3 and used capital letter for first letter of every word. Now we have a password that is 18 characters long yet it's easy to remember and decently fast to type (with some practice). Compare this to something like z1XqV453tZ86!Ubn9. I'll let you decide which one is best.

17 February 2014

Using NMap to enumerate network devices

1. Some background info
NMap is a free utility for network discovery and security auditing. Initially designed as better replacement to ping, it has grown into a full-fledged network auditing framework which can discover devices, what services and OS versions are running, what firewalls/IDS/IPS are in place and even conduct exploitations or DoS attacks thanks to its flexible scripting engine. More about NMap and what it can do here.

2. The task
We will use various NMap scan techniques to discover targets in our network, what ports they have open and what services are listening on those ports.

3. Requirements
- a laptop/PC running NMap. You can get NMap here for whatever platform you are running. Alternatively you can use a pentest distribution like Kali.
- a target. You can use another computer from your network or a virtual machine. I use Metasploitable. You can get and find more about it here. I advise you to get it as we're going to use it as a target for future lessons.
Please ensure you have permission to scan the target. While port scanning by itself is not illegal in most countries it can be annoying and even dangerous (services on target could crash because of it). Also some ISPs don't take kindly to it so you might end up losing your internet subscription.
My advice: use a virtual machine.

4. Let's begin
Open a command prompt/terminal and execute

nmap

You will get a list of the various arguments NMap can be run with. NMap has a GUI as well but today we're going to use the command prompt. You can scan a range of IPs using this command:

  nmap 192.168.100.1-200

The command above will scan all IPs from 192.168.100.1 to 192.168.100.200. There are many other options for IP ranges. Let's say we found a live target at 192.168.100.102. By default, when we only pass a target/range of targets NMap sends an ICMP echo request, a TCP SYN packet on port 443, a TCP ACK packet on port 80 and an ICMP timestamp request. We can use arguments to change this.
The following command only sends a TCP ACK packet to port 80 skipping ping.

nmap -p80 -sA -Pn 192.168.100.102

This is a much quieter scan but a packet sniffer/IDS/IPS on the target can see our attempt. Fortunately NMap allows us to spoof our IP address. The following command uses fragmentation to evade IDS/IPS and IP spoofing to make it look as if someone else was doing the scan:

nmap -p80 -sA -Pn -f -S 192.168.100.101 -e eth0 192.168.100.102

The command makes it look as if 192.168.100.101 was doing the scan. There is also another way. It's called Idle scan or zombie scan. For this approach we need another live device in the network which is idle and has an open port. The following command uses 192.168.100.101 which has port 2869 open to scan port 80 on target 192.168.100.102:

nmap -p80 -Pn -sI 192.168.100.101:2869 192.168.100.102

NMap can do more than just scanning ports. The next command will try to discover what OS is running on the target:

nmap -O -Pn 192.168.100.102

For OS scan to be reliable the target needs to have at least one open port and one closed port.
NMap has a lot more to offer. We barely scratched the surface. You can begin by studying and doing the examples from NMap Reference Guide.
A great book to have related to NMap is Nmap 6: Network exploration and security auditing Cookbook.
A good idea is to setup Wireshark on your target so you can see how each scan that you do looks like and what it does. You can get some sample captures I made from here.

5. Alternatives
Hping utility is a good alternative. It comes with a lot of features and, just like NMap, you can extend functionality through TCL scripts (NMap uses a flavour of Lua).

6. How to defend
You can't prevent port scanning but then again port scanning by itself is not dangerous. What you can do is limit the information a port scanner like NMap can get from you. Always use a firewall and never open ports unless you really need them to. You can also configure an IPS/IDS and monitor the activity though I haven't found one to get to work easily out of the box for personal use. You can also have Wireshark setup for intrusion detection.

7. What's next?
We now have a target. We know some basic info about it like what ports are open, what services are using those ports and the OS. It is time to find a weakness and exploit it and that's what we'll do next time.

06 February 2014

New tools of the trade - Kali pentest distribution

After encountering some issues configuring and running Metasploit framework on BackTrack 5 R3 in a virtual machine, I have decided to finally make the switch to Kali.

So far, the decision was good. Kali runs fine both in virtual machine and as a live USB stick. The interface is nice and sleek if not a bit too dark and lacking any colors. But it's customizable so it's not a real issue.
I also like the new "Start" menu and how applications are arranged. It's easier to navigate than BackTrack.

The Top 10 Security tools is also a nice addition and lists the best tools you can use like the Metasploit framework for all your exploitation needs, Aircrack-ng for testing and penetrating wireless networks, Wireshark for analyzing network traffic, Nmap for discovering targets and their weak spots and some others just as useful.

Everything runs good without unexpected errors or other anomalies. Instalation is very straightforward, has an intuitive GUI and provides all sorts of neat options (like encrypting the drive).

You can get Kali and read more about it here.